Intro to OKV: https://docs.oracle.com/en/database/oracle/key-vault/21.9/okvag/okv_concepts.html#GUID-36CEA9A9-33C0-495A-B224-9259B08DA072
full stack : security hardended software built to centralize the management of keys and security objects within enterprises
okv - Secretes management appliance which is fault tolerent, ha,scalable, secure, standards compliant
okv - centralizes the key store/retrival/lifecycle
Security Objects the OKV can manage are:
1. Encryption keys
2. Oracle wallets
3. Java Keystores
4. Java Cryptography extension key stores
5. Credential files (ssh keys, db account passwords)
OKV build on - refer to picture (01sep2024 - picture 1)
oracle linux, oracle db (vault, vpd, tde), golden gate
optimized for TDE, KMIP compatible clients
standards it is aligned: OASIS KMIP
End point: Computer systems - db server, app server
(01sep2024 - picture 2)
benefits:
1. create, rotate, delete security objects (ex.: keys)
2. prevent loss of keys and wallets due to accidental deletion of passwords or forgotten passwords
3. share among authorized end points (rac cluster)
4. full stack includes all needed binary (including clients)
5. works with other products - tde, rac, dataguard, pdb
>okv use cases:
Online master encryption is used to centralize the TDE management over direct network.
2 types of scenarios:
a. db already encrypted
b. db yet to be encrypted
In either case, storing the tde key on the local wallet means, we need to copy/remove the wallet files manually across dependent systems; vs the OKV the key gets shared automatically based on endpoint permissions. Changes are immediately reflected.
online master encryption is supported from 12.1.0.2 to 23ai
The following systems benefit from the centralized key management:
1. Oracle RAC
2. Dataguard
3. Shards
4. expdp/impdp operations
Centralized management of security objects might result in storing/retrival/backup/recovery/retaining/tracking for longer time seemless. If not we will need manual tracking of trail of file copy and manament of the same is needed.
OKV can manage the security objects contained within wallets (encryption key, passwords, X.509 certificates)
Refer to picture 4 for more details.
Credential files like: keys, ssh keys, passwords are treated as opaque files and are stored/retrived as it is.
Methods to access the security objects: RESTful API and okvutil
Target audience: dba or security administrator or other information security personal
major features:
Centralized management of keys and secrets (creation, distribution and deletion)
Audit trail for external auditors
MySQL encryption keys are supported
ACFS encryption
OKV can use RoT
Fault tolerent, secured, high available, scalable
Centralized management of security objects:
Online master encryption key (creation and migration of encryption key to OKV)
wallets - the wallet file once archived oin key store can be retrieved in case of the accidental deletion in the source
crdential files - ssh keys and kerberos keytabs are stored/retrived as needed across endpoints trusted
certificate files - .cer, .crt, .der, .p12, .pem etc.. stored/retrieved
SSH key (credential management): admins' public key is added to OKV and distributed as per access requirement. ssh keys can be rotated as needed, key length and usage requirements.
Reports and alerts:
OKV audits usage of all the security objects
Alerts to be sent for expiration, usage, limits; the alerts can be sent to external systems as well
3 users in OKV: key vault admin, audit admin, system admin
4th user : endpoint admin is specific to the end point
Persistent Master Encryption cache: is targetted mainly at standalone or primary-sby architecture, where the single master isnt available. In multimaster deployment it is never a concern.
OKV performs backups to local as well remote systems. OKV performs hot backup so non disruptive. OKV performs incremental backups as well.
OKV uses restful services to deploy/manage/configuration/administration of endpoints,wallets,access controls, backup operations at scale. Restful services can also be used to automate the OKV tasks in endpoints.
OKV supports 12.1.0.2 to 23ai
Mysql windows platform isnt supported
OKV can use a RoT (Root Of Trust) to protect encryption keys
HSM are build with tamper resistant hardware
No comments:
Post a Comment